Network server authentication can be performed using certificates that can be verified as having originated from a trusted source. SSL (secure sockets layer) is an example of a protocol that uses certificates such as this. The certificates themselves may be created in accordance with the X.509 standard, and may be referred to as X.509 certificates.
Certificates are issued by CAs (certificate authorities) after performing identity verification and other verifications with respect to requesting entities and information that the entities are seeking to assert. A certificate contains various types of information, and serves in part to bind an identified entity or website with an asymmetric key pair. The identity certificate is cryptographically signed by the issuing CA, and can be traced through a hierarchy of CAs to a CA that is known and trusted.
Certificates such as this are widely used on the Internet to establish the identity and/or authenticity of websites. When a consumer such as a web browser requests data from an entity's server, the server also provides the certificate of the website and one or more signatures. The signatures are generated using the private portion of the entity's asymmetric key pair and the certificate specifies the public portion of the key pair. The consumer can trace the validity of the certificate to a trusted CA, and can then verify the signatures using the public key specified by the certificate. The signatures may be part of the certificate itself, of a data object to be returned by the server, and/or of a combination of data.
A certificate is typically issued by a CA in return for a fee, after the CA has investigated and authorized the requesting entity. An issued CA may be valid for months or years, and the certificate itself specifies its expiration date. Upon expiration of a certificate, the owning entity must again apply to the CA and go through an identity investigation/verification process.
Once issued, a certificate can be used without further authorization by or interaction with the issuing CA. Thus, the consequences of issuing a bad certificate are significant. Although there are revocation mechanisms that can be used to invalidate issued certificates, these mechanisms are often not reliable.